Problem Description:

How to set up SSL for Infoworks RestAPI.


Affected Infoworks version:

IWX-2.9.x


Solution/Workaround:

1)Configure rest_api.conf/ rest_api.conf.template under Nginx(ie $IW_HOME/resources/nginx-portable/conf/infoworks/rest-api.conf.template) as follows:


uncomment listen 1999 ssl;

comment listen 1999;

i.e

Before change:

listen 1999;

#listen 1999 ssl;


After change:

#listen 1999;

listen 1999 ssl;


Provide the SSL certificate path and key path:

ssl_certificate <path to your certificate file>;

ssl_certificate_key <path to your key file>;


Certificate file in the above path is either a chained certificate(if from a Trusted third party like GoDaddy) or else just certificate if it is self-signed.


2)Procedure to generate the chained certificate:

Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case, the authority provides a bundle of chained certificates that should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:

$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt


3)Also under $IW_HOME/conf/conf.properties we need to specify SSL related properties

#ssl_certificate_path=/path/to/ssl/crt

#ssl_root_certificate_path=/path/to/ssl/root.crt

#ssl_key_path=/path/to/ssl/key

#ssl_keystore_path=/path/to/key/store

#ssl_keystore_password=aes-encrypted-password


Enable the above-mentioned variables(ie remove # from the beginning of the line and provide the paths to certificates and key files)

Most of the cases both ssl_certificate_path & ssl_root_certificate_path will need to point to the chained.crt file that will be as mentioned in the above procedure.


4)Restart nginx ui and restapi services:


cd $IW_HOME/bin

./stop.sh nginx ui restapi && ./start.sh  nginx ui restapi


Now that all the RestAPI calls will make HTTPS requests instead of HTTP and will be accessible to the outside world via the 1999 port.



Related articles:

http://nginx.org/en/docs/http/configuring_https_servers.html